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Abstract 

We study a general scenario where confidential information is dis¬ 
tributed among a group of agents who wish to share it in such a way that 
the data becomes common knowledge among them but an eavesdropper 
intercepting their communications would be unable to obtain any of said 
data. The information is modelled as a deck of cards dealt among the 
agents, so that after the information is exchanged, all of the communicat¬ 
ing agents must know the entire deal, but the eavesdropper must remain 
ignorant about who holds each card. 

Valentin Goranko and the author previously set up this scenario as 
the secure aggregation of distributed information problem and constructed 
weakly safe protocols, where given any card c, the eavesdropper does not 
know with certainty which agent holds c. Here we present a perfectly safe 
protocol, which does not alter the eavesdropper’s perceived probability 
that any given agent holds c. In our protocol, one of the communicating 
agents holds a larger portion of the cards than the rest, but we show how 
for infinitely many values of a, the number of cards may be chosen so that 
each of the m agents holds more than a cards and less than 2m?a. 


1 Introduction 

Consider a multi-agent network, where each individual holds private informa¬ 
tion which must be shared among the group, perhaps to reach a consensus or 
to share a secret. Communication among the agents may be intercepted, lead¬ 
ing to the risk of an eavesdropper obtaining confidential data. If encryption 
is either impossible or undesirable, the agents may use an unconditionally se¬ 
cure protocol, where the exchange would not contain enough information for 
an eavesdropper to learn a secret m- This scenario may crop up in many 


1 


applications, for example when fusing sensorial information or data from com¬ 
putations performed by the individual agents. Alternately, it may have been 
distributed among the agents in such a way that only by pooling together their 
knowledge will they have access to sensitive information, as may be the case in 
secret-sharing protocols [iin]. 

We will model a situation of this form, where the information is represented 
by a deck of cards ft dealt among m agents. The dealing phase is treated as a 
black box and assumed to be secure. Each of the agents may see her hand, but 
not the others’. They then want to inform each other of which cards they hold. 
Meanwhile, the eavesdropper. Eve, may intercept all communications, and the 
agents do not want her to obtain information about who holds any card. In this 
setting, we will show that for many possible distributions of cards among the 
agents, it is indeed possible for them to share the data securely. 

1.1 Comparison to known results 

The model we consider is a multi-agent variation of the well-known Russian 
cards problem. The latter may be traced back to [7] but has recently received 
renewed attention [H], leading to many new solutions (e.g. [Dll US]). In the 
original Russian cards problem, there are only two communicating agents. In 
[^, this was generalized by allowing an arbitrary number of agents, but also 
simplified by assuming that the eavesdropper has no cards in her hand. A key 
difference between the two-agent and multi-agent setting is that with only two 
agents, two announcements are usually sufficient for the information exchange, 
whereas in our setting one might expect to have at least one announcement per 
agent. However, we remark that longer protocols are already needed to solve 
some instances with two agents mm- 

There is more than one way to model the safety constraint. For any card 
c not held by Eve, she should not know with certainty which agent holds c; 
this is known as weak safety. But it may be the case that Eve has a very high 
probability of guessing correctly who holds c. To this end, m introduced the 
stronger notion of perfect safety, where Eve’s perceived probability that an agent 
holds c does not change after executing the protocol. Perfectly safe solutions 
for a wider number of cases were later reported in |12j . and [S] proposed an 
approximate notion which led to ‘almost-perfectly’ safe solutions. 

In [5] we formalized the secure aggregation of distributed information prob¬ 
lem and constructed weakly safe solutions for any number of agents. Our goal 
now is to construct, instead, perfectly safe solutions. These are based on finite 
linear algebra, and typically one agent holds a large portion of the cards. How¬ 
ever, for infinitely many values of o, the size of the deck may be chosen so that 
each of the m agents holds more than a and less than Am?a of the cards. 

1.2 Layout of the article 

In Section [2] we present a motivating example illustrating our protocol in an 
informal setting. Section [3] then formalizes the secure aggregation of distributed 
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information problem and Section 0] introduces the notion of perfect safety. Our 
protocol is based on finite linear algebra, which we review in Section [5] along 
with some general lemmas we need. In Section [5] we define the protocol and 
show that it is informative, while in Section 0 we prove that it is perfectly 
safe. Finally, in Section |S] we show how one can find relatively balanced card 
distributions to which the protocol may be applied. 

2 A motivating example 

Let us begin by presenting a solution for a distribution of type (12, 2, 2). This 
means that Alice draws twelve cards from a deck of sixteen, while Bob and Cath 
each draw two cards. Let us use Hb and He to denote the set of hands 
held by Alice, Bob and Cath, respectively. Then, for any card c, the probability 
that a given agent holds c is proportional to the number of cards in their hand; 
thus, P(c G Hjf) = i2/i6 and P(c G Hb) = P(c G He) = 

Now, let us show how Alice, Bob and Cath can communicate their cards to 
each other by way of public broadcasts, in such a way that, after the exchange, 
each of Alice, Bob and Cath knows the entire deal, without changing Eve’s 
perceived probabilities that a given agent holds a given card. Alice will make 
the first announcement, followed by Bob; it is not necessary for Cath to make 
an announcement in this setting since she merely holds the complement of Alice 
and Bob’s hands. 

2.1 Alice’s announcement 

Here we use the fact that there is a field F 4 , whose elements are {0, 
satisfying 1 + 1 = 0 and = + + 1. With this we construct a 16-point plane, 
F 4 . Alice makes her announcement as follows. First, she randomly assigns each 
card in the deck to a point on the plane, with the only condition that the cards 
she does noQ hold form a line i. In the figure. Bob holds spades, Cath holds 
clubs and Alice holds diamonds, so that £ is the diagonal y = x. 

Alice then announces. 

The complement of my hand forms a line of the form y = ax + b on 
the plane F|. 

Observe that, since there are four choices for each of a and b, there are a total 
of 16 possible deals according to Alice’s announcement. 

Because Bob holds two cards, and two points define a line, Bob knows exactly 
which line his and Cath’s cards lie on and thus he knows Alice’s hand. Similarly, 
Cath knows Alice’s hand, and in this example in fact Bob and Cath know the 
entire deal. However, they must inform Alice of their hand. For this. Bob must 
make an additional announcement. 

^Compare this to the protocol presented in [5, where it is Alice’s hand that would form a 
line rather than its complement. 
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0 0 0 ^ 

v? ^ 0 ♦ ^ 

1 0 0 0 
0 <> 0 0 

0 1 ^ 


Figure 1: Alice holds the complement of the line y = a; in the 16-point plane. 

2.2 A weakly card-safe announcement for Bob 

So it remains for Bob and Cath to inform Alice of their hands. A simple idea 
that they could use is simply to announce the first coordinates of the points on 
their hand. In the figure, Bob would say “The first coordinates of my hand are 
while Cath would say “The first coordinates of my hand are {0,(/?}.” 
In fact, Gath’s announcement follows from Bob’s, so she may actually omit it. 

As mentioned, Bob and Cath already knew the entire deal, but now Alice can 
use the fact that each point of i is uniquely determined by its first coordinate to 
infer Bob’s and Cath’s actual hand. Meanwhile, given any card c. Eve cannot 
tell whether or not Alice holds c. Consider, for example, the card (0,0). In 
the actual deal, Alice does not hold this card, but the only information that 
Eve has is that Alice holds the complement of a line of the form y = ax + b. 
Thus if 6 7 ^ 0, Alice would in fact hold (0, 0). This means that there are three 
possible values for b which would let Alice hold the origin, and for each choice 
there are four possible values of a, giving us a total of 12 possible deals (from 
Eve’s perspective) under which Alice holds (0,0). 

However, this exchange is not perfectly safe. For indeed, since she knows 
that Bob’s hand projects onto {I,(/?^}, Eve can infer that Bob does not hold 
the card (0,0). Thus this protocol is only weakly safe. But there is a variation 
which does yield perfect safety. 

2.3 A perfectly card-safe announcement for Bob 

The only thing that Eve knows about £ is that it is of the form y = ax + b. This 
a will be used to shift the elements of F 4 around and add more uncertainty to 
Bob’s announcement. To be precise, if £ has slope a, Bob will now announce, 
instead of the first coordinates of his hand, these coordinates plus a. Let a{£) 
denote the slope of £. In this example, since Bob’s hands project onto {I,y^} 
and £ has slope I, Bob will instead announce the value of 

{I, -b <t{£) = {I, + l = {0, if}] 

note that we are using the convention that X + y = {x + y : x € X}. His 
announcement will then take the form 
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“If my hand, Hg, lies on a line £, then 

7Jg + a(£) = {0,v?}.” 

This new protocol is actually perfectly safe. To see this, first note as before 
that Alice can hold any card (just replace £ by a parallel line as needed). But 
any card may also be held by Bob or by Cath. Let us show this with the card 
(0,0), held by Cath. Because in the actual deal Cath holds (0,0), Eve evidently 
finds is possible that Cath holds it. 

However, Eve also considers it possible that Bob holds it instead. There are 
four lines £' passing through (0,0) of the form y = ax + b, and Eve considers all 
of these as the possible set of cards that Bob and Cath hold. If £' has slope 1, 
as is actually the case, then Cath would hold (0,0). But suppose instead that 
£' is the line given hy y = ipx, so that 

f = {(0,0 ),(i,(^),(¥>,(^2),((^M)}. 

Then, £' has slope (p, and (t{£') = p. If indeed Bob and Cath’s hands lied on 
£', according to Bob’s announcement, the first coordinates of his hand would be 
0 — (t{£') = (p and p — <j{£') — 0, so that in this case Bob would hold (0,0). 

0 0 ^ 0 

p ^ 

1 0 0 0 Jk 

0 ^ <> 0 0 

0 1 p p"^ 

Figure 2: According to Bob’s announcement, if Bob and Cath held the line 
y = px, this is how the cards would be dealt. 

More generally, if £' is given hy y = ax, then Bob would hold (0,0) if 
a € {0, v?}, while Cath would hold it if a G {1,(/?^}. This means that, from 
Eve’s perspective, there are two possible deals where Bob holds (0, 0) and two 
possible deals where Cath holds it. But as we saw above, there are 12 possible 
deals where Alice holds (0,0); we also saw that there are a total of 16 possible 
deals, so Cath’s perceived probability that Alice, Bob or Cath holds (0,0) are 
i2/i6 , 2 /i6 and ^/le, respectively; the same as before the protocol began! 

A similar exercise may be applied to any point {x, y) on the plane to verify 
that this occurs for any card and thus the protocol is indeed perfectly safe. 

2.4 Generalizing to more agents 

In a more general setting, there may be m + 1 communicating agents 
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We will work in where g > m is a prime power and d > 0. Alice will hold 

all cards except for those that would make up a hyperplane; that is, she would 
hold 5 ^*+^ —q‘^ cards, which is more than any other agent. The rest of the agents 
share the remaining cards, with the only restriction that each of them holds 
more than q‘^~^ of them. Then, Alice will assign a point on to each card 
in such a way complement of her cards form a hyperplane V of the form 

Xd+i = aixi + ... + QdXd + b 

and announce her chosen assignment. Each other agent Bk holds enough cards 
to be able to identify V, hence Alice’s hand. Then, we define 

a{V) = (ai,...,ad) € F^ 

(the ‘slope’ of V, similar to a gradient). In our example, the line £ plays the 
role of the hyperplane V (since a line on the plane is a hyperplane). 

If we denote by tt : Fg+^ —)• F^ the projection onto the first d components, 
each agent Bk will announc^ + o’(E), where Yi is the set of points Bk 
holds (technically, the image of BkS hand under Alice’s chosen assignment). 
As we shall see, even in this more general setting, this protocol will always be 
informative and perfectly safe. In the remainder of this paper, we will make 
this precise. 


3 Formalizing the problem 

Here we will give the basic definitions needed to set up the secure aggregation 
of distributed information problem, including the notions of informativity and 
safety that concern us. This section is essentially a review of notions from [^, 
although we remark that some of the terminology has changed. 

3.1 Basic terminology and notation 

Definition 3.1. Let 3 be a finite set representing a group of agents. By a 
distribution type we mean a veetor r = (tx)xg 3 of positive integers. We write 
kl for J2xG3'rx- 

The deek, LI, is a finite set of cards with eardinality |r|. A deal of type r 
over n is a partition H = {Hx)xe3 of LI such that \Hx\ = tx for each agent 
X. We say Hx is the hand of X. We denote the set of all deals of type r over 

^ by G)- 

We assume an initial secure dealing phase in which a card deal is selected 
randomly. Afterwards, the agents have knowledge of their own hand and of the 
distribution type r of the deal, but know nothing more about others’ cards. 
Thus, they are not able to distinguish between different deals where they hold 

^In general, if / is a function we use f{x) to denote the value of / at a point and f[X] to 
denote the image of a set X under /. 
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the same hand. We model this by equivalence relations between deals; since 
from the perspective of agent X, a deal H is indistinguishable from deal H' 
whenever Hx = we define H ^x H' if and only if Hx = H'^. If the agents 
are numbered Xq, ..., X^, we may write '^k instead of • 

We will fix a set A representing a language which the agents use to encode 
information. In a practical setting, elements of A would be strings of symbols, 
but could also be modelled as natural numbers; we will refer to them simply as 
tokens. For simplicity we will assume that agents take turns, so that if they are 
listed by Xq, , Xm, then Aq places a token first, followed by X 2 , etc. 

Definition 3.2 (Run). Let A be a set whose elements will be called tokens. A 
(finite) run is a (possibly empty) sequence p = ao,... ,an of tokens from A. The 
empty run is denoted by If). If p = a^,... ,an and a is a token we write p*a for 
ao ,..., a„, a. An infinite run is an infinite sequence ao,ai, 02 , ■■■ of tokens. 
Runs will be assumed finite unless it is explicitly stated otherwise. We denote 
the length of a run p by \p\. We denote the set of finite runs by Run. 

We now define the notion of protocol we will use. Below we use {x)d to mean 
the remainder of x modulo d. 

Definition 3.3 (protocol). Let t be a distribution type over 3 = {Xq, ..., Xm). 
A protocol (for t) is a function 11 assigning to every deal H G (^) and every 
run p G Run a set of tokens Tl{H, p) C A such that if k = {\p\)m+i (so that it is 
the turn of the agent Xk) and H H', then Il{H,p) = Il{H',p). 

Thus, a protocol is a tree-like set of runs representing a non-deterministic 
protocol for the communicating agents. Once a deal has been fixed, a protocol 
assigns to each run a set of tokens out of which the agent whose turn it is 
must choose one at random. These tokens are determined exclusively by the 
information the agent has access to, which is assumed to be only: (*) her hand, 
(n) the distribution type r and the deck Ll, (Hi) the announcements that have 
been made previously and (iv) the protocol being executed. 

Note that protocols are generally non-deterministic and hence may have 
many executions: 

Definition 3.4. An execution of a protocol II is a pair (H, p) consisting of a 
deal H G (^) and a run p = ao, ■ • ■ ,Cin, such that au G n(iJ, p<fc) for every 
k < n, where p^k = cx-o,..., ak-i (p<o is empty). We say that p is a run of 11 
if there exists a deal H such that (H,p) is an execution o/II. 

An execution of a protocol (H,p) is terminal ifIl(H,p) = 0. A protocol is 
terminating if it has no infinite executions. 

3.2 Informative and weakly safe protocols 

Now we will define some desirable properties that protocols may have. The first 
property is informativity. that agents in the team learn the entire deal at the 
end of its execution: 
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Definition 3.5 (Informativity). An execution {H,p) of a protocol 11 is infor¬ 
mative for an agent X if there is no execution {H', p) of 11 with H' H but 
Hx = H'^ (i.e., at the end of the run the agent knows the precise card distribu¬ 
tion.) 

A terminating protocol If is informative if every terminating execution of If 
is informative for every agent in 3. 

In we considered a weak notion of safety and showed that informative 
and weakly safe protocols exist for a large class of distribution types. 

Definition 3.6 (Weak safety of protocols). An execution {H,p) of a protocol 
n is weakly safe for the card c if there are agents X y and a deal H' G (^) 
such that (H', p) is also an execution of II but c G Hx and c G H'y. 

A protocol n is weakly safe if every execution of 11 is weakly safe for every 
card. 

However, a weakly safe protocol may give Eve a large amount of probabilistic 
information. To this effect, in the next section we will turn to formalizing a 
stronger notion of safety. 

4 Perfect safety 

A weakly safe protocol does not allow Eve to know with certainty who holds 
a given card c, but she may gain other information about it; for example, she 
may learn that a certain agent X does not hold c, or perhaps that an agent y 
is very likely to hold c. Thus it will be desirable to control the probabilistic 
information that Eve obtains. 

In order to do so, we will make two assumptions: 

1. The dealer chooses uniformly from the set of all deals. 

2. In any protocol H, each agent always chooses uniformly from Il{H,p), 
provided it is non-empty. 

To compute the relevant probabilities, it will be useful to introduce the notation 
()? : Cl,..., C„) to denote the set of deals satisfying the constraints Ci,..., C„. 

Definition 4.1. Fix a deck H, a distribution type r and a protocol H. Then 
define: 

• For a run p, ()? : p) to be the set of all H G (^) such that {H, p) is an 
execution o/H. Elements of ()? : p) are possible deals (according to Eve). 

• Eor a card c and an agent X, ()? : c'^) to be the set of deals H such that 
cGHx. 

• Eor a run p, a card c and an agent X, 

(?:p,c'") = (?:p)n(?:c^), 
the set of possible deals where X holds c. 
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With this we can define the following generalization of a notion introduced 
in [13]. 

Definition 4.2 (Equitative protocol). A protocol 11 is equitative if for every 
run p of H there is a constant k = k{p) such that for every deal H £ : p^ we 

have that |n(i?, p)! = k. 

In other words, \U{H,p)\ depends on p but not on H. Equitative protocols 
will allow us to simplify many computations. Throughout the text, we use P to 
denote probability. 

Lemma 4.1. Let 11 be an equitative protocol some distribution type r and p be 
a run of II. Then, there is a constant 7 = 7 (p) £ (0,1] so that, for any deal H, 

T(plH) = b VH'Si'i.P 

0 otherwise. 


Proof. It is obvious that F {p \ H) = 0 ii H ^ ()? : p). Otherwise, we proceed 
by induction of the length of p. 

Eor the base case, p = {) and F{p\ H) = 1 (since every execution begins 
with the empty run). Otherwise, we consider a run of the form p * a. Let 
k = k{p) be such that |n(i?, p)| = k for any deal H £ Il{H,p). By induction 
hypothesis, F {p \ H) = = Y{p) for any H £ ()? : p). Then, for any deal 

H£{^:p), 

F{p*a\ H) =F{a\ p,H)F{p\ H) = ( 1 /^) 7 ' 


and we can set 7 (p * a) = y'/k. 


□ 


Proposition 4.1. Let II be an equitative protocol over some distribution type 
T. Then, for any run of the protocol p, c £ 11 and any X £ It, 


F{c£Hx\p) = 


I(?:P)I 


Proof. By Bayes’ law. 


F{c£Hx\p) 


F{c£ Hx,p) 

P(p) 

^ F{p\H)F{H) 
Y, F{p\H)F{H) 


( 1 ) 


But by Lemma l4Tl P (p | H) is some constant 7 = 7 (p) ii H £ (? : p) and zero 
otherwise. Moreover, since deals are also chosen uniformly, P(il) = 5 for some 
constant <5. 
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Thus, ([T|) becomes 


as claimed. 


^ P{p\H)¥{H) 

^ Pip\H)PiH) 


H 7<5 

He(?:p.c'V) 

H&i^-.p) 

\{?--p,cn\ 

I(?:P)I ’ 


□ 


5 Geometric preliminaries 


Our perfectly safe solution is based on finite linear algebra. We assume some 
basic familiarity with finite fields and finite geometry; these are covered in texts 
such as [5] and [S], respectively. 

Throughout the paper, q will denote a prime or a power of a prime, and 
the field with q elements. If d is any natural number, denotes the vector 
space of dimension d over F^. Given [/ C F^ and G F^, we write U + v for 
the set {it + : u G C/}. A hyperspace is a subspace of dimension d — 1, and 

by a hyperplane we mean any set of the form V + where 17 is a hyperspace. 
Two hyperplanes A, Y are parallel ii X ^ Y but there is a vector x such that 
X = Y + x. 

Recall that |F^| = where in general \X\ denotes the cardinality of X. 
Moreover, ii U ^ V are hyperplanes, then U has exactly q'^~^ elements, while 
|17 n I7| < q‘^~‘^ and equality holds unless U, V are parallel, in which case their 
intersection is empty. 

In our example in Section[2l it was important that the line i have an equation 
of the form y = ax+b. This readily generalizes to the higher-dimensional setting, 
as defined below. 

Definition 5.1. Given a prime power q and d > 0, we say that V C F^+^ is a 
transversal hyperplane if there are ai,..., G F^ such that V is the graph of 

Xd+i = aiXi -I- ... -b OdXd + b. 


If b = 0 then we say V is a transversal hyperspace. 

We denote the set of transversal hyperplanes in F^+^ by TH^'*'^. Given 
X G F^+^, we denote by THg“''^[a;] the set of transversal hyperplanes in F^+^ 
touching x. 


It will be useful (and straightforward) to count the number of transversal 
hyperplanes in F^+^. 

Lemma 5.1. Fix a prime power q and a natural number d. Then, 


1 . 


th; 


d-l-1 


= qd+l; 
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= 


2. for any x G Fg+^, 



Proof. For the first claini note that a transversal hyperplane is determined by 
an equation 

Xd+i = aixi ... OdXd + b 

and there are q choices for each Ok as well as for b, giving a total of options. 

For the second, we may assume that x = 0 without loss of generality. This 
forces us to set 6 = 0. Then we must merely choose each a/c, and since there are 
d of them we have q'^ options. □ 


Next, we define the ‘slope’ of a transversal hyperplane, which is itself a 
vector. 

Definition 5.2. Given a prime power q and a positive integer d, we define 
a: ^ given by cr(V) = (ai,... ,ad) whenever ai,... ,ad G F^ are such 

that V is the graph of 


Xd+i = aiXi + ... + adXd + b. 

The following is then immediate: 

Lemma 5.2. Given a prime power q, d > 0 and x G the restriction 

a: TH^“''^[a;] F^ zs a bijection. 

It will also be useful to project the points on a transversal hyperplane V 
onto their first d coordinates. In particular, the projection of one such point 
will be sufficient to determine its missing component, provided we know what 
V is. 

Definition 5.3. Fix a prime power q and d > 0. We define tt: F^+^ —F^ by 
tt{xi, .. .,Xd+i) = (xi, .. .,Xd). 

Lemma 5.3. Given a prime power q, d > 0 and V G TH^'*"^, tt: V is a 

bijection. We denote its inverse by by. 

Proof. If V is given by the equation 

Xd+i = aixi + ... + adXd + 6, 

then it is easy to see that tt: V ^ F^ has an inverse given by 

bv{xi, ...,Xd) = (xi,.. .,Xd,aiXi + ... + QdXd + 6). □ 

In Section [21 we saw that Bob constructed his announcement by projecting 
and shifting. We also saw that Alice could reconstruct Bob’s hand from this 
announcement. Let us now present these operations in more generality. 
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Definition 5.4. LetV be a transversal hyperplane o/F^+^. We define TTy: V —>■ 
by 

ry{w) = tt{w) + (t(V) 


and by 

I'viy) = w{y- cr{V)). 

Lemma 5.4. If q is a prime power, d> 1 and V £ then TTy Ol'V is the 

identity on F^ and Cy o iTy is the identity on V. 


Proof. Using Lemma lOl we see that, for a; G F^, 


TTy O Ly{x) = TTy{iv{x “ <j{V))) = 7 t{lv{x - Cr(U))) + Cr(U) 
= X — cr(U) + cr(y) = X. 


That Ly o TTy is the identity on V is proven similarly. 


□ 


6 The shifted projection protocol 

With these ingredients we are ready to define our protocol. It depends on several 
parameters which must be ‘suitably’ chosen, in the following sense. 

Definition 6.1 (suitable parameters). We say (m,q,d,T) are suitable param¬ 
eters if m > 1, q > m is a prime power, d > 0, and t is a distribution type 
over J = {. 4 , 61 ,... ,Bm} such that |t| = q'^~^^, — q‘^ and, for each 

k G [l,m], re, > 

Once we have selected suitable parameters, our protocol may be fully de¬ 
termined by describing its maximal executions, since all other executions will 
merely be initial segments of these. We will use this idea in order to simplify 
the following definition. 

Definition 6.2 (shifted projection protocol). Let (m, q, d, r) be suitable param¬ 
eters and Ll be any set with q'^ elements. Then, given a deal H G (^) , the 
maximal executions of the shifted projection protocol are of the form 

(i4,/,Xi,...,X„), 


where 

• /: n —^ Fg is such that V — F^+^ \ /[i?yv] is a transversal hyperplane and 

• for each k G [1,to], Xk = 

The shifted projection protocol will be denoted SP. 

Our goal is to prove the following: 

Theorem 6.1. The shifted projection protocol is informative and perfectly safe 
for any choice of suitable parameters. 
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Before proceeding, we must check that we have actually given a protocol 
according to our definitions. 

Lemma 6.1. Given any choice of suitable parameters, the shifted projection 
protocol is an equitative protocol. 

Proof. We begin by checking that our protocol satisfies Definition 13.31 Suppose 
that (to, q, d, t) are suitable parameters. Let {H, p) be an execution of the 
shifted projection protocol and a S SP{H,p). Let X be the last agent to make 
an announcement and H' be a deal such that Hx = H'^ and {H,p) is an 
execution of our protocol. We must check that a € SP{H',p) as well. 

First assume that p is empty, so that a is Alice’s announcement of /: D — 
Ff 1. Then, Ff ^ \ = Ff ^ \ f[H'jf^, so that D = Ff ^ \ f[H\] is a 

transversal hyperplane, and since / was already a bijection, / S SP(il', ()). 

Otherwise, X = Bk for some k, and the last announcement is of the form 
Xk = '!^v[f[^Bk]]- Let V = F^+^ \ f[H'_^]. Then, V is a hyperplane containing 
= Hsk- Thus, ilB, C D n V' and hence liJeJ < |D O V'\. But iiV 
then \V r\V'\ < q'^~^ < which is impossible. We conclude that V = V' 

and thus Xk = follows that Xk € SP[H',p). 

It remains to check that the protocol is equitative in the sense of Definition 
14.21 that is, that |SP(il, p)] depends on p and not on H. This is not hard to 
see: when p = (), the number of bijections / : D ^ F^+^ such that f[H_A] is 
the complement of a hyperplane clearly does not depend on H, since different 
deals are obtained merely by permuting the cards. If on the other hand p = 
/, Xi ,..., Xk-i, then the value of Xk is uniquely determined by the expression 
Xk = hence |SP(iJ, p)| = 1 for any deal ff. We conclude that the 

shifted projection protocol is an equitative protocol, as claimed. □ 

Now that we know we have a protocol, let us check that it is indeed infor¬ 
mative and perfectly safe. We will proceed by breaking the proof into several 
steps. First, let us check that the protocol is informative. 

Lemma 6.2. The shifted projection protocol is informative for any choice of 
suitable parameters. 

Proof. Let (to, q, d, r) be suitable parameters. Let {PI, p) be a terminal execution 
of the protocol, and let X y be agents. We must check that, if {H',p) is 
another terminal execution of the protocol with = Hx, then also Hy = Hy. 

First assume that jV = .4, so that X — Bj for some j. In this case, V = 
F^+^ \ /[Ha] is the unique hyperplane such that flHs.] C V, and similarly 
V' = F^+^ \ f[H{x] is the unique hyperplane such that flHs.] = f[H'i3^] C V. 
It follows that V = V' ss well and thus Ha = H'^. 

Now assume that y — Bk ^ A. Note that by the previous case, Ha = H'y^ 
and thus if we set V = F^+^ \ then we also have V = Fg+^ \ f[H'_^]. 

It follows by the definition of the protocol that Bk has made an announcement 
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of the form Xk = so that by Lemma ICTl Ly[Xk\ = f[HBk\- Simi¬ 

larly, since {H',p) is also an execution of our protocol, Ly [^fc] = m's,]- Thus 
f[Hi 3 ^] = /[Hsk]: since / is a bijection, Hsk = as claimed. □ 

It remains to check that the shifted projection protocol is perfectly safe. 
This will require a bit more work. 


7 Perfect safety of the shifted projection proto¬ 
col 


To prove that the shifted projection protocol is perfectly safe, we will construct 
new deals that the eavesdropper may consider possible after its execution. The 
following definition shows how we will do this. 

Definition 7.1. Let (rn^q,d,T) he suitable •parameters. Suppose that 

p = f,Xy...,Xm 

is such that f: LI ^ and each Xi C F^, and let V G TH^’'’^. 

For each agent X define a hand b'y 

• 1 \ y] 

• forkG = /-i[t^[Xfc]]. 

Lemma 7.1. Let {m,q,d,T) he suitable parameters. If 


P — /; -^1 j ■ ■ ■ J Xfn 

is such that f: LI ^ F^+^ is a bijection, Xi,..., X^ form a partition of 
and \Xj\ = Tj for all j, then for any transversal hyperplane V, is a deal 

of distribution type r and {L[^^’P\ p) is an execution of the shifted projection 
protocol. 

Proof. First let us check that H^Fp) ^3 ^ deal of distribution type r. For it to be 
a deal merely means that it is a partition of LI. Since |t| = = |n|, this boils 

down to checking that all hands are disjoint and that each agent X holds tx 
cards. So suppose X are two agents. If one of them (say, X) is Alice and 
y = Bk, then we observe that Alice holds the complement of f~^[V] whereas 
iy[Xk] C V, so that = f~^[ty[Xk]] C f~^[V] and hence the two agents’ 

hands are disjoint. If on the other hand X = Bj and y = Bk, then since f~^ 
and Ly are injective and Xj and Xk are disjoint, then = f~^[Ly[Xj\\ is 

disjoint from = f~^[Ly[Xk\\. We conclude that all hands of H^Fp) are 

disjoint. 

The injectivity of and Ly also gives us 


H 


(V,P) 


= |Ff 1 \ F| = q‘^+^ -q‘^ = TX, 
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as well as 


H, 


{V,p) 

Bk 


f ^[l'v[Xk\\\ = \Xk\=TBk 


for all k G so indeed is a deal of distribution type t. 

Finally, let us check that p) is an execution of the shifted projection 

protocol. We have assumed that / is bijective and that \ y is 

obvious by the definition of Meanwhile, using Lemma 15.41 we have for 

each agent Bk that 


< O = < O f[f-^ O ,l.[Xk]] = TT^ O ,l.[Xk] = Xk, 


SO that indeed {hX^p) ^ p) is an execution of our protocol. 


□ 


Moreover, hX<p) is unique, in the following sense. 


Lemma 7.2. Let (rn,q,d,T) be suitable parameters. If H is a deal, p = 
f,X\,... ,Xra is a run such that {H,p) is an execution of the shifted projec¬ 
tion protocol and V = \ f[Hj\], then H = HX^p) _ 


Proof. Once we have hxed V, then for any agent Bk we must have Hsk — 
Lv[Xk] = hZ^\ and since Alice also holds the same hand in H and hX^p) ^ the 
two deals must be equal. □ 


The deals hX’P) will be essential in showing that the protocol is perfectly 
safe. In fact, we will show that given any agent X and any run of the protocol p, 
the set of possible deals where X holds c is precisely tx , as was the case in the 
example on Section [21 Below we use the notation : Ci..., Cn), introduced 
in Definition 14.11 


Lemma 7.3. Let (m,q,d,T) be suitable parameters, p be a run of the shifted 
projection protocol and X be any agent. Then, 



= TX- 


Proof. Suppose that p = f,Xi,..., Xm and let c G D be any card. We will 
consider the cases where X = A and where X = Bk separately. 


Counting deals where Alice holds c Let c be any card; we wish to count 
the number of deals H such that {H, p) is an execution of the shifted projection 
protocol and c G Now, the complement of f[Hj\\ is a transversal hyperplane 
V, which should not contain /(c). By Lemma [5.11 there are transversal 
hyperplanes and q‘^ touching /(c), which leaves q'^^^ — q‘^ avoiding /(c). By 
Lemma rm for each such V, hX,p) jg a deal such that (hX’P) ^ p'j ig an execution 
of the shifted projection protocol, and where Alice holds c. Moreover, by Lemma 
m this is the unique deal with such properties. It follows that the possible 
deals where Alice holds s are in bijection with the set of transversal hyperplanes 
avoiding /(c), and thus 

I /n . „ I „d+l d ^ 

\[r ■ PX )\= Q - Q = TA- 
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Counting deals where another agent holds c Now consider the case where 
X = Bk for some k. In this case, we claim that the possible deals where Bk 
holds c are in bijection with Xk- For this, we will define a function 


and show that it is bijective. 

Fix V G Xk- Let w = 7r(/(c)), and pick the unique U G TH^'''^[/(c)] such 
that a{U) = V — w (which exists by Lemma [5.21) . Denote this U hy V". 

Now, let h{v) = H^^'’'P\ We claim that h gives the desired bijection. First 
let us check that h{v) G whenever v G Xk- By Lemma [7.11 h{v) = 

is a new deal and {h{v),p) is an execution of the shifted projection 
protocol, so h{v) G (^ : p). Moreover, note that 

= iu^{v - a{U'’)) = iu^{w) = f{c). 

But V € Xk so /(c) G [Xk], that is, 

c€r^[X^[Xk\]=H^Z''^ 

In other words, Bk holds c in the deal h(v)', by definition, this means that 
h{v) G ()? : c^'=). We conclude that h{v) G ()? : p,c^’‘), as claimed. 

Next let us check that h is injective, li v ^ v' G Xi then v — w ^ v' — w, so 
that [/” ^ V" and thus h{v) ^ h{v'), since Alice would hold a different hand 
in each deal. Since v, v' were arbitrary, we conclude that h is indeed injective. 

Finally, let us see that h is onto. Let H be any deal where Bk holds c and such 
that {H,p) is an execution of SP. Let V be the complement of f[Hj\]. Then, 
Xk = ’’■y [/[^6fc]]) so that 7r(/(c)) +a{V) G Xk- As before, let w = 7r(/(c)) and 
V = w + a{V). Then, v G Xk and v — w = a{V). But since V touches /(c) 
and cr is a bijection when restricted to TH^'''^[/(c)] (once again by Lemma lOl) . 
it follows that V = V" and, by Lemma [7.21 H = hX’P) = h{v). Since H was 
arbitrary, we conclude that h is onto. 

Therefore /i is a bijection and 

|(r : P-C®")! = l^fcl = 


as desired. 

Since we have now considered all possible cases for X G 3, the lemma follows. 

□ 


We now have all the ingredients we need to prove our main theorem. 

Lemma 7.4. The shifted projection protocol is perfectly safe for any choice of 
suitable parameters. 

Proof. Let {m,q,d,T) be suitable parameters, c a card and X an agent. By 
Lemma 17.31 |()? : p, c‘'’)| = Tx. Moreover, | ()? : p) | is equal to the number of 
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transversal hyperplanes in which by Lemma [5.11 is = |r|. Thus by 

Proposition 14.11 


(c e Hx\p) = 




TX 

kl ’ 


I(?:P)I 

and since X was arbitrary, this means that the protocol is perfectly safe. □ 


With this, we may prove our main result. 

Proof of Theorem \6. 1[ By Lemma l 6 .11 the shifted projection protocol is a pro¬ 
tocol according to Definition 13.31 moreover, by Lemma 16.21 it is informative, 
whereas by Lemma iTldl it is perfectly safe, as needed. □ 


8 Finding balanced distribution types 

The shifted projection protocol has the disadvantage that one agent must hold 
a disproportionate portion of the cards. However, this can be controlled to 
a certain extent. In this section we will show how, given the number m of 
agents, one may find suitable distribution types over m agents that are not too 
unbalanced. 

For this we will use the following lemma. 

Lemma 8.1. Given a natural number m > 0 there is a prime power q such that 
m < q < 2m. 

Proof Just take q to be the unique power of 2 satisfying the required bounds. 

□ 

There are many possible improvements to this result (for example we may 
take q to be prime using Bertrand’s postulate), but this simple version will 
suffice for our purposes. With this, we may prove the following. 

Corollary 8.1. Given a set 3 = {A, Bi,..., Bm} of m + 1 agents, there are 
infinitely many values of a such that the shifted projection protocol is informative 
and perfectly safe for some distribution type r over 3 such that, for each agent 

X G 3, Tx G (a,4m^a). 

Proof. Fix m and use Lemma 18.11 to find a prime power q G (m, 2m]. Fix an 
arbitrary d > 1 and define r by setting — q‘^ and, for k G [1, m — 1], 

+ 1 . Finally, let = q<^ - {m - -f 1). Set a = q^-^. 

Clearly |t| = while 

TA = q‘^^^ - < 4:m^q‘^~^ = 4m^a. 

For fc e [1, m — 1], it is obvious that > q'^~^, while > q‘^~^ because 

q‘^-{m- + l)>q'^-{q- -f 1) = 2q‘^-^ -q + 2> q<^-^. 

Hence tx G (a, 2m^a) for all agents X and the parameters (m, q, d, r) are suit¬ 
able, so that by Theorem 16.11 the shifted projection protocol is informative and 
perfectly safe for these parameters. □ 
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9 

d 

(48,5,5,6) 

3 
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3 

4 

3 

(100,6,6,6,7) 

4 

5 

2 

(500,31,31,31,32) 

4 

5 
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Figure 3: Some choices of suitable parameters. Note that the number of agents 
is TO + 1 as Alice is counted separately. 


As an application, let us return to the example of Section There were 
three agents, so we chose g = 4 and d = 1. The disadvantage was that the 
distribution type was noticeably unbalanced, since Alice held the vast majority 
of the cards. However, as the construction in the proof of Corollary 18.II shows, 
we can actually take g = 3 provided d > 1. For d = 2 and g = 3, we obtain the 
distribution type (18,4,5). Observe that Alice holds about four times as many 
cards as any other agent. In Figure |3l we see how this is also true for larger 
values of d. We also see how Alice must hold an increasingly larger portion of 
the cards as the number of agents rises, but for a fixed to, the number of cards 
she holds grows linearly with respect to the others’. 

9 Concluding remarks 

We have presented a protocol whereby a number of agents holding information 
that has been privately dealt to them may share it securely even if their com¬ 
munications are intercepted. For convenience of exposition this information is 
modelled as a deck of cards, but the ‘cards’ may represent any type of sensitive 
information, such as characters in a password. Our protocol may be used for 
secret-sharing or other applications that require unconditionally secure aggrega¬ 
tion of information, and provides a higher level of security than that in previous 
work [B]. 

For future work it may be of interest to consider possible variations or gen¬ 
eralizations, for example based on a wider class of combinatorial designs. There 
are several advantages that such variations might have. First of all, our protocol 
requires for one agent to hold a large portion of the deck, so it would be conve¬ 
nient to find solutions that work for a larger class of distribution types. Second, 
we may be interested in obtaining an even higher level of security; [TB] consid¬ 
ered the notion of k-perfect security, where the probability that a given agent 
holds a set of at most k cards does not change after the agents’ announcements. 
In the two-agent case this is stronger than perfect safety (i.e., 1-perfect security) 
when k > 1, and a multi-agent generalization might also be fruitful. Finally, 
we mention that solutions which allow Eve to hold cards would be of interest, 
as finding protocols for such a setting could be useful for applications where 
portions of the private information has been compromised by the eavedsropper. 
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